Communication

Throw Away the (Encryption) Key:

Secure Communication in the GDPR Age

There has never been more attention directed at privacy regulation, and with the heavy fines threatened by GDPR, the stakes have never been higher. In the age of heightened privacy concerns, Rob Scammell speaks to Wire CEO Morten Brogger about the platform’s unique approach to keeping messages secure

In many ways, Wire is just another encrypted messaging platform. It offers all the services you’d expect: video conferencing, group chats and file sharing with planned deletion dates.

The five-year-old platform boasts more than 500,000 unique monthly users, ranging from governments to the pharmaceutical industry.

But what makes Wire stand out is its approach to security. The Swiss startup, somewhat boldly, claims to have the most secure end-to end encryption in the industry. It’s a claim given some credence by the platform’s backing by Skype co-founder Janus Friis.

Wire CEO Morten Brogger says that the majority of platforms with end-to-end encryption are not as secure as you might think.

"The old way of building cloud or SaaS-based services like that was that everything was built in the servers in the middle and that's where you had all the logic,” he says.

“That's where you do all the processing, that's where all the storage happens, and that's where the security is done.”

This means that the encryption key exists on servers in the cloud, a potential vulnerability. Brogger says that “99.9 out of 100” of messaging platforms have this old model.

With the vendor holding a copy of message encryption keys, an employee of the vendor – in theory – could access private messages.

A different type of architecture

So, how does Wire ensure the highest levels of privacy? According to Brogger, it’s all about the architecture.

Wire designed its model so that it is impossible for the vendor to “look over your shoulder”, because it doesn’t have a copy of the encryption keys. Instead, they exist only on the devices of the user.

It does this using a distributed cloud. There is still a lot of logic on the servers on the cloud, as well as some of the processing and storage. However, some of the storing and processing is moved to the device of the user, whether it’s a mobile or desktop.

“By architecture, we do not have a chance to look over the shoulder,” says Brogger. “It means, by architecture, there is no backdoor.

“Our communication is completely private and completely secure, managed by that security.”

Multiple keys are harder to steal

Brogger concedes that everything can be hacked, but Wire has another line of defence – it updates its encryption keys after every message.

Even if someone were to beat Wire’s encryption algorithms, they would only gain access to one message that, without the rest of the conversation, would have no context. To gain access to a full conversation, a hacker would have to break into each message individually.

“We make it so hard to do it with very little risk of benefits going out of this,” he says. “So that's why we feel it's the most secure.

“There's no backdoors, we cannot look over the shoulder, by having encryption keys on the devices we ensure that the privacy is at the utmost highest level it can be and that the security is very high. And with the fact that we update the encryption keys after each message we make it extremely high security."

WhatsApp breaching GDPR

For many, hearing the word GDPR is likely to invoke groans. For others, such as German auto parts maker Continental AG, it invokes fear. In June, the company banned its 240,000 employees from using Facebook, WhatsApp or Snapchat on any of its company mobile phones.

The decision was prompted by privacy concerns: the services access your phonebook and collect that information without the permission of those third parties, something Brogger says is in direct breach of GDPR.

“If an employee there has customer data with your mobile phone number or email address, then that data gets uploaded into the cloud and that actually breaches the GDPR regulation because GDPR says if you are given private data away you have to consent to do it proactively.

“It's no longer an option to opt out, you have to opt in. And WhatsApp actually just takes it and uploads it."

“We are fully GDPR compliant, whereas a lot of the free consumer applications that have almost the same level of security are not.”

Wire, by contrast, has access to your phonebook but does not upload it to the cloud.

"The way we architectured this, we are fully GDPR compliant, whereas a lot of the free consumer applications that have almost the same level of security are not," says Brogger.

With fines of up to £20m or 4% of global turnover, there could soon be more joining Continental and throwing away the encryption key.

“Fundamentally, if you use a consumer application which is in an advertising-based monetisation model, that compromises privacy by default and that actually compromises the security of the enterprise."

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang